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1 Introduction 

This paper describes a class of decision procedures that we have found useful for efficient, domain- 
specific deductive synthesis. These procedures are called closure-based ground literal satisfiability proce- 
dures. We argue that this is a large and interesting class of procedures and show how to interface these pro- 
cedures to a theorem prover for efficient deductive synthesis. Finally, we describe some results we have 
observed from our implementation. 

Amphion/NAIF [Stickel 94] is a domain-specific, high-assurance software synthesis system. It takes 
an abstract specification of a problem in solar system mechanics, such as “when will a signal sent from the 
Cassini spacecraft to Earth be blocked by the planet Saturn?”, and automatically synthesizes a FORTRAN 
program to solve it. Amphion/NAIF uses deductive synthesis in which programs are synthesized as a 
byproduct of theorem proving from a domain theory. In this paradigm, problem specifications are of the 
form Vx3y[P(i,y)] , where x and y are vectors of variables, and we are only interested in constructive 
proofs in which witnesses have been produced for each of the variables in y . 

Deductive synthesis has two potential advantages over competing synthesis technologies. The first is 
the well-known but unrealized promise that developing a declarative domain theory is more cost-effective 
than developing a special-purpose synthesis engine. The second advantage is that since synthesized pro- 
grams are correct relative to a domain theory, verification is confined to domain theories. Because declara- 
tive domain theories are simpler than programs, they are presumably easier to verify. This is of particular 
interest when synthesized code must be high-assurance. 

There are several reasons why, despite these potential advantages, the number of deductive synthesis 
systems remains small. Perhaps the most serious reason is that systems built using this technology are al- 
most always unacceptably inefficient unless the domain theory and theorem prover are carefully tuned. This 
tuning process requires a large amount of automated reasoning expertise, and even with this expertise, the 
process is iterative and extremely time consuming. 

In our attempts to construct an efficient deductive synthesis system for Amphion/NAIF, we initially 
considered using Prolog. However, due to the extensive need forequality in the domain theory, Prolog was 
inappropriate. So we moved to a more general paradigm employing a refutation-based theorem prover. Con- 
structing an efficient implementation in this setting was very time consuming. 

In order to assist in constructing efficient implementations, we are developing a tool, Meta-Amphion 
[Lowry 97], that takes a domain theory as input and automatically generates an efficient, specialized deduc- 
tive synthesis engine such as Amphion/NAIF. The key is a technique that generates efficient decision pro- 
cedures for subtheories of the domain theory and then integrates them through an interface to a general- 
purpose refutation-based theorem-prover. 

A prototype of Meta-Amphion has been constructed [Roach 97]. This prototype has generated domain- 
specific deductive synthesis systems that achieve a significant speed improvement over non-optimized, gen- 
eral-purpose theorem provers. More importantly, these generated systems perform at least as well as, and 
often better than, expertly-tuned theorem provers for particular application domains. Figure 1 is a graph of 
the problem size (number of literals) vs. the number of inference steps required to find a proof for an un- 
optimized system, a hand tuned system, and a system generated by Meta-Amphion (Tops). Figure 2 com- 
pares a hand-tuned system vs. the Meta-Amphion generated system (Tops). 

This paper describes the underlying infrastructure used by Meta-Amphion, i.e. the interface and the 
properties of the procedures. (We do not discuss the generation of these procedures here.) We have found 
that even with hand-generation of these procedures, this infrastructure dramatically reduces the time it takes 



2 


to construct efficient domain-specific synthesis systems by enabling an automated reasoning expert to 
quickly identify where decision procedures can be used to improve the performance of the theorem prover. 

While much existing research on decision procedures has been either in isolation [N&O 79, Shostak 
84, Cyrluk 96] or in the context of interfacing procedures to non-refutation-based theorem provers [PVS 92, 
B&M 88], we are unaware of any work done on decision procedures in the context of deductive synthesis 
where witnesses must be found. This paper presents a decision procedure interface to a theorem prover with 
several inference rules including binary resolution and paramodulation. The collection of extended infer- 
ence rules enables satisfiability procedures to be interfaced to the theorem prover in a straightforward and 
uniform manner. Combinations of procedures can be plugged in on a theory-by-theory basis, allowing the 
theorem prover to be tailored to particular theories. 
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Section 2 introduces separated clause notation, the notation used by the separated resolution and para- 
modulation rules. The motivation for these rules is that they facilitate the use of decision procedures to re- 
place general purpose theorem proving over a subset of a domain. Section 3 describes the decision 
procedure interface to the theorem prover. Section 4 describes decision procedures used specifically for de- 
ductive synthesis. Section 5 describes the implementation of the interface and the results of using these pro- 
cedures for deductive synthesis for Amphion/NAIF. 


2 Separated Inference Rules 

This section describes our extension to the inference rules in the SNARK [Stickel 94] theorem prover 
enabling decision procedures to be interfaced for deductive synthesis. The basic idea is that all clauses are 
separated into two parts: a part that is reasoned about by interfaced decision procedures and a part that is 
reasoned about by SNARK. First, separated clause form is defined, and then the separated inference rules 
are described. SNARK has inference rules resolution, hyperresolution, paramodulation and demodulation. 
The overall extension has been accomplished by extending each inference rule in a uniform manner. This 
paper only discusses separated binary resolution and separated paramodulation. The other rules are extend- 
ed similarly. 

Separated binary resolution is similar to resolution with restricted quantifiers or RQ-resolution 
[Burckert91]. Recall that we prove 7]=<£>by refutation by showing that Tu{^<i>} is unsatisfiable. Assuming 
that Tis satisfiable, this amounts to showing that no model of T is a model of-'dt The general idea of our 
binary resolution rule (as well as RQ-resolution) is as follows. If there is a method for determining satisfi- 
ability of a formula relative to a theory T t czT , we prove 7] = <f> by showing that no model of 7) can be 
extended to a model of T 2 u{^ &}, where T 2 = T-T, (where a theory is a set of sentences closed under impli- 
cation). 

The separated rules work with clauses that are separated relative to a subtheory, called a restriction 
theory (also often called a constraint theory). Separated clause form is similar to RQ-clause form in [Burck- 
ert 91]. 

Definition 2.1 (Separated Clause) Let L be the language of a theory T, a first-order theory with equality. 
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We treat equality as a logical symbol, so = is not in L. Let L, c L be the language of T, cT . A clause C 
with the following properties is said to be separated relative to Tp 

1. C is arranged into Cj vC 2 , where both C/ and C 2 are disjunctions of literals (i.e., clauses). 

2. All the function and relation symbols in C; come from Lj and all the function and relation symbols in C 2 
come from L-L / . 

Constant symbols may appeatjn C/ or C 2 regardless of what language they are in. Notice _that C/ vC 2 
can be written C I => C 2 .where C, is the negation of Cj. Since C I is a disjunction of literals, C, is a con- 
junction of the negations of the literals in C/. If C = [C, =>C 2 ] is a clause separated relative to some the- 
ory, Cj is called the restriction of C and C 2 is called the matrix of C. A set of clauses is separated relative 
to a theory if each of the clauses in the set is separated relative to the theory. 

A clause is separated in two steps. In the first step, literals are placed in the restriction or matrix of a 
clause based on their predicate symbol. In the second, each non-constant term t whose head symbol is in the 
“wrong” language is replaced by a new variable x. Then if t appeared in the matrix, x=t is conjoined to the 
restriction and if t appeared in the restriction, x*t is disjoined to the matrix. 

Example 2.1 Suppose we have a theory T, of LISP list structure whose non-logical symbols are the function 
symbols HEAD, TAIL, and CONS. Then the separation of the formula tail{L)±nil relative to T t is 
x = tail(L) => (jc * nil ) . 

Separated binary resolution computes a resolvant of two clauses, C ’ and C ’ ’, each separated relative to 
a theory 7j. This resolvant is also a clause separated relative to Tj. Informally, a resolvant is computed as 
follows. First, ordinary resolution is performed on the matrices (right hand sides) of C ’ and C ” to form the 
matrix of the resolvant. The resulting substitution a is used in forming the restriction of the resolvant which 
is the conjunction of the restrictions of C’ and C”with the substitution a applied. If the new restriction is 
unsatisfiable in T h the resolvant is true and, as a practical matter for resolution refutation, can be discarded. 

Definition 2.2 (Separated Binary Resolution) Let C ’ and C” be variable disjoint clauses separated rela- 
tive to a theory T /. Let C' = ct,_A ... a a n => /, v Q and C" = /3, a ... a p =5 • l 2 v R , where Q and R are (pos- 
sibly empty) clauses. If / / and l 2 unify with most general unifier <r ana Bna, a ... a a n a /?, a ... a P p )<J I is 
satisfiable in I), the separated resolvant of C' and c” is the separation of 
( a, a ... a (X n a/3, a... a /3 p )cr => (0v R)cf . 

Example 2.2 In step 8 of example 2.3, the existential closure of the derived restriction 
(x = tail(w))A(y = cons(u,z )) is satisfiable in the theory of LISP list structure. Therefore, the resolvant is 
retained. 

Lemma 2.1 (Soundness of separated binary resolution) Let f'be a set of separated clauses and let i//be 
a clause derived from two elements of f'by separated binary resolution. If Mis a model of *¥, Mis a model 

off'uW- 

Proof: Soundness here follows immediately from the soundness of ordinary binary resolution. The sat- 
isfiability check on the restriction of the resolvant is not necessary for soundness of the rule overall. Rath- 
er, if the restriction of the resolvant is unsatisfiable, the separated clause is a tautology. [] 

Definition 2.3 (Separated Paramodulation) Let l[t] be a literal with at least one occurrence of the term t. 
Let C’ and C” be variable disjoint clauses separated relative to a theory 7j Let C’ = «, a ... a a n => l[t] v Q 
and C" = /3, a... a P p => (r = s) v R, where Q and R are (possibly empty) clauses. If/ and r unify with most 

1 . The separation of the resolvant does not have to be a separate step. However, it simplifies the presentation. 
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general unifier crand 3\(a l a ... a a n a >3, a ... a /3 W] is satisfiable in T/, a separated paramodulant of C ’ 
and C” is the separation of (a t a ... a a n a/?, a ...a f3 p )o =^> lo[so] vQo v Ro , where lofsoj is the literal 
/with the substitution a applied and one occurrence of to replaced with so. 

As with resolution, soundness of separated paramodulation follows from the soundness of the ordinary 
paramodulation rule. 

An ordinary refutation of a set of clauses C consists of a sequence of clauses where each clause is an 
element of Cor is derived from two preceding clauses in the sequence by binary resolution or paramodula- 
tion. An ordinary refutation is closed when the empty clause is derived. A separated refutation is a sequence 
of separated clauses derived using the separated rules. Unlike an ordinary refutation, a separated refutation 
is not necessarily closed when a clause with an empty matrix is derived. Instead, in general, there is a set of 
clauses {C, => [],...,C n =>[]} each of which has a separated refutation such that Tj |= 3C, v...v3C • A 
proof of this fact can be found in [Burckert91] where it is also shown that this disjunction is finite so long 
as T i is first-order (this is a consequence of Compactness). Hence, a closed separated refutation ends with 
a collection of separated clauses all of whose matrices are empty such that the existential closure of the dis- 
junction of their restrictions is a theorem of Tj. 

Lemma 2.2 (Soundness of separated refutation) If the separation of a set of clauses C has a closed sepa- 
rated refutation, C is unsatisfiable. 

Proof: This result follows immediately from soundness of separated binary resolution and separated 
parmodulation, and the fact that if a set of separated clauses is unsatisfiable, so is the unseparated clause set. 

An inference system with ordinary binary resolution and ordinary paramodulation is complete if re- 
flexivity axioms are included. In order for a system including separated versions of these rules to be com- 
plete, a number of additional types of axioms must be added such as separated versions of predicate 
congruence axioms. In practice, completeness has not been an issue in our work on deductive synthesis, so 
we do not discuss it further here. 

[Burckert 91] points out that for some restriction theories, closed separated refutations can always be 
obtained by considering the validity of only the restrictions of individual clauses. For instance, it is proven 
that if T i is a definite theory, i.e., a theory that can be written as a set of definite clauses, closed separated 
refutations are guaranteed for query clauses whose restrictions contain only positive literals. This paper fo- 
cuses on the case where validity of only single restrictions needs to be checked. When this is not the case, 
getting a closed separated refutation requires an additional inference rule (such as consensus [Dunham 63]) 
or it requires decision procedures to be used in a more complicated manner than presented here. Thus far 
the simpler case has been sufficient in our work on deductive synthesis. 

The definition of a separated clause prohibits the derivation of clauses with empty matrices when terms 
that are not in the restriction language appear, i.e., these terms keep getting separated back into the matrix. 
In this case, the matrix of a clause will end up containing only literals of the form t&c for some variable x 
and some term t in the language L-L, not containing x. Such a clause can be viewed as having an empty 
matrix with the disequalities considered as substitutions for variables in the restriction. Our system com- 
pletes refutations by applying these substitutions to the restriction (rendering the clause no longer separated) 
and then checking the validity of the resultant restriction. 

Example 2.3. Given the theory (with L a constant symbol): 
x = x aL& nil a tail( L) & nil 

L# nil —> (tail(L) / nil tail( L) = append) front(tail( L)),cons(last(tail(L)), nil)) 

append(cons( u, v),w) = cons( u, append ( v, w)) 

(x * nil) —> x = cons) head( x), tail ( x)) 

head(cons( x,y)) = x a tail) cons( x, y)) = y a cons( x, y) # nil 

In this theory, the functions front (which “computes’’ all but the last of a list) and last (which “com- 
putes” the last element of a list) are constrained in terms of the functions append, cons, and tail. The theorem 
proved below can be viewed as a simple deductive synthesis query where we are attempting to derive the 
functions front (a witness for y) and last (a witness for z) under the assumption for an input list L, that Lmil 
and t ail (L) mil. Let T t be a theory of HEAD, TAIL, CONS and NIL. A refutation that is separated relative to 
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Tj is given below. Clauses 1-5 below are the first three axioms above separated relative to Tj. Note that 
these are the clauses of T-Tj. 


1 

Given 

=±> r — r 

2 

Given 

L ^ nil 

3 

Given 

x = tail(L) => (x * nil ) 

■ 

Given 

(x = tail(L) a y = cons(z,nil ) a w~ tail(L)) 

=> (x = nil v L = nil's z* last(w ) vr = append(front(x),y )) 

5 

Given 

(x = cons(u,v )) a (y = cons(u,z )) => append(x,w) = y v z* append(v,w) 

6 

Negated 

conclusion 

x, = cons{z { ,nil) =>(L* append (y^xj) 

7 

paramodu- 
late 5 into 6 

(x = cons(u,v)) a (L = cons(u,z )) a (w = cons{z v nil )) => 
(z * append(v,w )) 

8 

resolve 2 
and 4 

(x - tail(L)) a (y = cons(u,nil )) => 

(x = nil ) v (x = append(front(x),y)) v (u * last(x)) 

9 

resolve 3 
and 8 

(j:, = tail(L)) a (y, = cons{u x ,nil)) => 

(jc, = append(front(x { ), y, )) v ( u * last(x } )) 

10 

resolve 9 
and 7 

(x = cons(u,front(z ))) a (L = cons(u,z )) a (w = cons{z x ,nil )) a 
(z = tail(L)) a (w = cons{u v nil )) => 

(w, * last(z)) 

11 

resolve 10 
and 1 

(x = cons(u, front(z))) a (L = cons(u,z )) a (w = cons(z x ,nil )) a 
(z = tail(L)) a (vv = cons(last(z),nil )) => [] 

1 1 s-f" ■ 1 ■ a i i — 1 — t 1 ,t __ — ”” — TT / . _ _ 


of the interpretation of front and last), the proof is finished. 


3 The Decision Procedure Interface 

This section describes how decision procedures are interfaced to the theorem prover through the sep- 
arated inference rules presented in the previous section. We identify the properties a decision procedure 
must have in order for it to be interfaced. We also show that there is a large and interesting class of decision 
procedures that meet this requirement. 

A decision procedure is interfaced to the theorem prover for proving a theorem 0 in a theory Tby iden- 
tifying a restriction theory T, q T for which the procedure decides satisfiability. The clauses of T-Tj and 
^0are separated relative to T t and the decision procedure checks the satisfiability of derived restrictions. 

An important question is, “What is the utility of our technique for interfacing decision procedures to a 
theorem prover?” The answer to this question turns on the following question: “How large is the class of 
decision procedures that can be interfaced?” To be interfaced, a procedure must decide satisfiability of 
clause restrictions. As mentioned, restrictions are conjunctions of literals possibly containing variables. One 
class of procedures that appears to be large is the class of ground literal satisfiability procedures. These are 
procedures that decide satisfiability of conjunctions of ground literals. It turns out that, even though restric- 
tions of first-order clauses have variables in them, it is possible to interface any ground literal satisfiability 
procedure. We now establish this fact. 

Definition 3.1 (Ground Literal Satisfiability Procedure) A ground literal satisfiability procedure(GLSP) 
for a theory T is a procedure that decides whether or not a conjunction of ground literals F is satisfiable in 
T. The language of F must be the language of T but may be extended by a collection of uninterpreted func- 
tion symbols (including constants). 
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Theorem 3.1 (Applicability of GLSPs) If P is a GLSP for a theory T,,P can be used to decide the satisfi- 
ability in Tj of the restriction of any clause separated relative to Tj. 

Proof Sketch: Let C = [(^=> C 2 ] be a clause separated relative to Tj. Let x ] ,...,x n be the variables in 
C~. Let a be the substitution {jc, i- c v ...,x n <- c n } , where the c, are new uninterpreted constant sym- 
bols. Replace the restriction of C with x { = c, a ... a x n = c n a C,a . 

The full proof shows that (a) , t| = c, a ... a x n = c n a C,cr and_c are cosatisfiable and (b) the satisfiabil- 
ity of C implies the satisfiability of (*, = c, a ... ax„ = c n a. C.cr) => C 2 . Hence, we can replace any sep- 
arated clause C with the clause =c, A...Ax n =c n aC|<t]=> C 2 and decide the satisfiability of the 
restriction of such a clause by deciding the satisfiability of the ground conjunction C,<T • [] 

The fact that any GLSP can be interfaced to the separated inference rules is a fortunate situation be- 
cause many GLSPs have been identified [N&O 79][N&0 80] [Cyrluk 96]. In addition, there is reason to 
believe that there are many more procedures in this class. For instance, [N&O 80] shows how to extend a 
GLSP for the theory of equality with uninterpreted function symbols to a theory of LISP list structure, i.e., a 
theory in which the function symbols HEAD, TAIL, CONS and NIL are interpreted. Their procedure can be 
interfaced to our system and used to check satisfiability of restrictions in our running example, i.e., the re- 
striction of the clause derived in step 9 of Example 2.1 

( x = cons(u, front(z))) a (L = cons(ii,z)) a (w = cons(z^,nil)) a 
(z = tail(L)) a (w = cons(u v nil )) 

can be checked for satisfiability in the theoiy of LISP list structure using Nelson & Oppen’s procedure by 
considering all the variables to be constants. 

We have also constructed several new procedures by extending a GLSP for uninterpreted function 
symbols. Also, [Gallier 86, ch 1 0.6] gives techniques for constructing GLSPs based on congruence closure 
for conjunctions of ground literals containing predicates. The essential idea is to introduce boolean con- 
stants True and False and to represent P(t as P(t i,.,.J f J='lrue and ' P(t as P(t ],...,t„)=False. 
Then, if the congruence closure graph of a conjunction F contains True=False, F is unsatisfiable. 

Perhaps more interestingly, both [N&079] and [Cyrluk 96] describe techniques for combining GLSPs 
with disjoint languages into a GLSP for the union of these languages and much work has been done recently 
on the closely related topic of combining decision procedures for equational theories [Baader 97], 

Hence, we are in the convenient situation of being able to combine GLSPs to create a GLSP for a re- 
striction theory. Given a theory T, we can design from components an integrated decision procedure for a 
restriction theory. See [Lowry 97] or [Roach 97] for examples of techniques for designing decision proce- 
dures from components. 

4 Deductive Synthesis Decision Procedures 

This section shows that if a GLSP has the additional property of being closure-based it can be used not 
only to check satisfiability but also to check for entailment and to produce witnesses for deductive synthesis. 
All of the procedures mentioned in Section 3 as well as all of the procedures we have used in our work on 
deductive synthesis are closure based. 

As discussed in Section 2, producing a closed separated refutation requires that the disjunction of the 
restrictions from a set of clauses with empty matrices be checked for entailment. Recall that this paper is 
focused on restriction theories in which only single restrictions must be checked for entailment. Hence, au- 
tomated separated refutations require decision procedures for computing both satisfiability and entailment 
of restrictions. 

For the entailment problem, we cannot use the technique of replacing universally quantified variables 
in a restriction with uninterpreted constants. Instead, these variables are replaced by existentially quantified 
variables. (An argument similar to the proof of lemma 4. 1 can be used to justify this.) For the entailment 
check, we need decision procedures that are literal entailment procedures. 

Definition 4.1 A literal entailment procedure (LEP) for a theory Tisa procedure that decides for a conjunc- 
tion of literals F in the language of T (possibly containing variables) whether or not T\=3F. 

While in general the satisfiability procedure and the entailment procedure for a restriction theory are 
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separate procedures, we have found that closure-based GLSPs can also be used as LEPs. 

Definition 4.2 (Closure-based satisfiability procedure) A closure-based satisfiability procedure com- 
putes satisfiability of a set of formulas <2> by constructing a finite set ¥' of ground consequences of <2> such 
that contains a ground literal and its negation just in case (Pis unsatisfiable. 

GLSPs based on congruence closure are examples of closure-based satisfiability procedures. They 
construct a congruence graph to check satisfiability of a conjunction of literals. As new literals are added to 
a conjunction, new nodes representing terms are added to the graph and/or congruence classes are merged. 

We illustrate how a closure-based satisfiability procedure is used as a LEP with Nelson & Oppen’s 
HEAD-TAIL-CONS GLSP. 

Example 4.1 In step 1 1 of example 2.3, it must be shown that the existential closure of 

(x = cons( u, front(z))) a (L = cons(u, z))a(w = consfz,, nil)) a 
( z = tail( L)) a(w = cons(last( z), nil)) 

is a theorem of the HEAD-TAIL-CONS theory. First, the Nelson & Oppen GLSP is used to check the satisfi- 
ability of this conjunction assuming that the variables are uninterpreted constants. In doing so, the proce- 
dure computes the following additional equalities. From L = cons(u,z), we get u = head{L). Hence, 
x = cons(head(L),front(tail(L))). From w = cons(z x ,nil) and w = cons(last(z),nil), we get 
head(cons(z ] ,nil)) = head(cons(last(z),nil)). Hence, Z{ = last(z) and z, = last{tail{L)) . What the proce- 
dure has shown is that in every model of 7 in which F(cj,...,Cn) is satisfiable, F(t h ...,t„) is satisfiable. Next, 
the procedure is used to check the unsatisfiability of~'F(tj,...,t n ). Since is a disjunction which 

is unsatisfiable just in case all of its disjuncts are, each literal of ^F(t],...,tf) can be checked separately. If 
- F(t t n ) is unsatisfiable, 7\=F(t and T\=3F. We have exploited the following fact in this analysis. 

Lemma 4.1 Let F(c/,...,cJ be a conjunction of ground literals that is satisfiable in a theory T. Further, sup- 
pose that the constant symbols c;,...,c n do not occur in T. If fu F\= (c, = t x a ••• a c n = r„) , where each t, 
is a term not containing any of the CjS, T\=Vx l ,...,x n (F(x l ,...,x n )=>(x l - f, a-- - Ax n = r„)) . 

Proof: Suppose TuF\=(c, = f, a--ac„ =f„) . Then, by the deduction theorem, 

T 1= (F(c, , —, c„ ) => (c, = t, a • • • a c„ = /„ )) , Also, since tne c, do not appear in T, the first-order law of uni- 
versal generalization gives us 71= Vjt l ,...,x B (F(jr,,...,x J1 )=^(x 1 =r, a-ax, = *„)) •[] 

Lemma 4. 1 gives us license to use a GLSP to find potential witnesses for existentially quantified vari- 
ables, i.e., terms that make F true in every model of T in which F is true. The GLSP is then used to check 
that these potential witnesses are, in fact, witnesses, i.e., that they make F true in every model of 7. 

We have used the separated refutation system in the context of deductive synthesis where we are only 
interested in constructive proofs in which witnesses have been produced for existentially quantified vari- 
ables in a theorem. In this context, decision procedures must produce witnesses. Closure-based GLSP have 
an added benefit in deductive synthesis, namely that such a GLSP establishes that the existential closure of 
a restriction is a theorem by constructing witnesses. These witnesses can be extracted to produce programs 
in deductive synthesis. For example, in proving the theorem 3{y,z){L- append(y,cons(z,nil))) in example 
2.3, the Nelson & Oppen GLSP produces witnesses fory and z. These are cons(head(L),jront(tail(L)) and 
last(tail(L)) respectively which are the synthesized programs for jront(L) and last(L) under the assumption 
that L&iil and tail(L)&iil. 

Thus far in our deductive synthesis work, all the GLSPs we have developed can be used in this manner. 

5 Implementation 

We compared the performance of three deductive synthesis systems: an untuned system, a system man- 
ually tuned by a program synthesis expert, and a system tuned by using several decision procedures to the 
theorem prover. The untuned system describes the state of Amphion/NAIF before the theorem proving ex- 
pert tuned that system. This untuned system is exactly the type of system we expect Meta-Amphion will be 
given as input. 

The domain theory for the hand-tuned system consisted of 330 first-order axioms. In the untuned and 
Meta-Amphion tuned systems there were approximately 320 axioms. Many of these axioms are equalities, 
some of which are oriented and used as rewrite rules. A series of 27 specifications was used to test these 
synthesis systems. These specifications ranged from trivial with only a few literals to fairly complex with 
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dozens of literals. Thirteen of the specifications were obtained as solutions to problem specifications given 
by domain experts, thus this set is representative of the problems encountered during real world use. 

Five procedures were created and used to prove each of the 27 specifications. Each of these procedures 
was interfaced to the SNARK resolution theorem prover using the inference rules described in Section 2. 
Although the programs generated were not always identical, it was shown that solutions to the same prob- 
lem specification were always programs that computed the same values. 

In Figure 1, the untuned system showed exponential behavior with respect to the specification size for 
the number of inference steps (and the CPU time) required to generate a program. The hand-tuned and 
TOPS-generated systems both grew much less rapidly, with the TOPS-generated system growing at about 
one third the rate of the hand-tuned system in the number of inference steps required to obtain a proof, as 
shown in Figure 2. 
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